08-12-2012 11:10 PM
I am interested in hearing from other TRIM customers who have looked at integrating TRIM and AD.
We have been requested to investigate linking TRIM to our AD and have all the relevant role based access controls for any users residing in AD and synced with HP TRIM.
We have investigated the TRIM LDAP module but we have firstly had difficulties finding customers using this tool in production. Secondly our own testing has also indicated there were a number of shortcomings with the product which meant it would be difficult for us to recommend its use in our environment.
I have raised an enhancement request with HP to create a new AD TRIM integration module (or at least improve the current).
If there are other customers who are also considering integrating TRIM and AD, I would encourage you to support this enhancement request.
Alternatively if there are sites who have created your own TRIM and AD integration tool, I would also like to hear from you.
08-12-2012 11:40 PM
One question to ask is where does your AD get its information from ??
In our organisation the AD is populated from the corporate directory system. As the IT section only use it to create logins (they get a Login ID, User name, and Active status) so synching with AD would only give us some information.
So we sync trim with the same corporate directoy system that AD uses which gives us in addition to people information, positions, organisational structure and security clearances. (with the membership of people to position and position to their organisational structure.
10-25-2012 09:06 AM
My experience with this tool is that while it provides the ability to stop manually entering a users data, it does not alleviate the burden of association or permissions without a great deal of configuration and planning. I do like the TRIM DS tool, but make friends with your local AD administrator and you'll succeed.
Because the active directories I have seen seem to lack consistent policy in terms of group/org creation and specific metadata for persons, only the basics could be used for a sync to start out (name, email, login).
Everything that should be easier and more efficient inherently becomes a mess because group membership in AD did not indicate permission level or much org structure. Therefore trying to use AD security groups for TRIM access controls not only looks ugly (because IT didn't name them like RM or an Org Chart would) but becomes scary due to that one person that wanted another person in the AD group (for whatever reason) with consideration only for SP or File Share access, not TRIM.
So if you can get a sync from AD that uses "memberof memberof" associations that you trust and can use in TRIM, it gives you a good point to start using "AD groups" for access controls in TRIM.
This may or may not help much with a user's permission level in TRIM. Unless you can give a big majority of users one permission, and apply individuals the higher levels they would need without creating a hundered different entries in the TRI DS config.
The one item that can cause an issue is what becomes your default Org or Group in TRIM if you use the Memberof Memberof association. If you rely on your default org to determine an Owner/Assignee/Home and that determines access controls, you might end up with a user creating a folder with access controls limited to "3rd Floor Bathroom Key Holders" : )
05-01-2013 06:14 PM
I ended up writing one for our organisation that queries AD directly every couple of hours. You do need a good structure though and if we had a corporate directory that would have been much easier.